ea-chatbot-lg/backend/tests/test_oidc_validation.py

import pytest
from unittest.mock import MagicMock, patch
from ea_chatbot.auth import OIDCClient
from jose import jwt

@pytest.fixture
def oidc_config():
    return {
        "client_id": "test_id",
        "client_secret": "test_secret",
        "server_metadata_url": "https://example.com/.well-known/openid-configuration",
        "redirect_uri": "http://localhost:5173/auth/callback"
    }

@pytest.fixture
def mock_metadata():
    return {
        "issuer": "https://example.com",
        "jwks_uri": "https://example.com/jwks",
        "id_token_signing_alg_values_supported": ["RS256"]
    }

def test_oidc_validate_id_token_success(oidc_config, mock_metadata):
    client = OIDCClient(**oidc_config)
    
    id_token_payload = {
        "iss": "https://example.com",
        "sub": "user123",
        "aud": "test_id",
        "nonce": "test_nonce",
        "exp": 9999999999,
        "iat": 1000000000
    }
    
    # Mock JWT decoding, JWKS fetching, and metadata fetching
    with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \
         patch.object(client, "fetch_jwks") as mock_fetch_jwks, \
         patch.object(client, "fetch_metadata") as mock_fetch_metadata:
        
        mock_decode.return_value = id_token_payload
        mock_fetch_metadata.return_value = mock_metadata
        mock_fetch_jwks.return_value = {"keys": []}
        
        claims = client.validate_id_token("fake_token", nonce="test_nonce")
        
        assert claims == id_token_payload
        mock_decode.assert_called_once()

def test_oidc_validate_id_token_invalid_nonce(oidc_config, mock_metadata):
    client = OIDCClient(**oidc_config)
    
    id_token_payload = {
        "iss": "https://example.com",
        "aud": "test_id",
        "nonce": "wrong_nonce",
        "exp": 9999999999
    }
    
    with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \
         patch.object(client, "fetch_jwks") as mock_fetch_jwks, \
         patch.object(client, "fetch_metadata") as mock_fetch_metadata:
        
        mock_decode.return_value = id_token_payload
        mock_fetch_metadata.return_value = mock_metadata
        mock_fetch_jwks.return_value = {"keys": []}
        
        with pytest.raises(ValueError, match="Invalid nonce"):
            client.validate_id_token("fake_token", nonce="test_nonce")